Some quick thoughts on the Network World article How to land a cybersecurity job
QUICK RANT: First off I was immediately annoyed by the terms "cybersecurity" and "expert" being used and honestly wasn't going to read the article. You say "expert" but what I hear is "WARNING: Credibility of this content is degraded, spend your time at your own risk." In addition the use of the term "Cybersecurity" really says to me "We just jumped on this bandwagon a few years ago and that is what everyone else is calling it."
Sorry for the rant but it is a polite request, in lieu of "expert" please use "professional," "leader," "practioners," etc. Many options. In lieu of Cybersecurity just call it what it is, InfoSec.
Secondly, I completely disagree with both the philosophy and the feasibility of getting a certification first. Here is my version of the first four steps in building an InfoSec career:
1. Get on the twitters and listen. The first four years of my career was spent learning from people more experienced than I. Invaluable. Get involved - go to meetups, cons, etc.
2. READ. EVERYTHING. There is a wealth of information available publicly, over 300 security blogs, coding best practices, sample code, security procedures, policies, theories, etc.
3. Get a box (or use uber cheap EC2), build a *nix distro, web server, and SQL server. Leave default configs / installs, poor passwords, etc. and use Metasploit or other basic easy tools to break in. Find some free defensive tools to keep yourself out. Might want to lock down the firewall too ;) This will probably keep you busy for a bit, it is certainly not the most comprehensive training in breaking in but it is a place to start and the education is in the process and doing it yourself.
4. Get a job as an IT/Network admin or as a coder (if exp allows) if you can't find an entry level InfoSec position as there are few. In security you have to know every technology, so the admin experience will help you tremenduosly. Coding INVALUABLE and super hot / needed right now.
5. Keep working at it and you will get a shot. Once you have the opportunity to use your education then request formal training from your employer. Pick a class that is specific to your goals that you will use in the near future. If a cert comes along with it that is great and it will help subsequent opportunities, but focus on the value of the education not the letters. If you spend $3K on a class, get certified, and do not get a job for 2 years you just wasted your money.
Ok, that's all IMHO. If none of the above works maybe I am full of it and you should go get a cert and a job in Cybersecurity ;)
EM,
ReplyDeleteThis was a wholly refreshing read. Coming from the point-of-view of someone who is trying to enter the InfoSec industry, this all comes as something remarkably comforting. I know that it would be entirely naive to think anything other than you have to work your way, and work hard, to the "top". I do believe that in order to be effective in this industry it is important to be well-read and to have contacts to bounce ideas off of. To know that there are many avenues to follow in order to get on a good path in InfoSec also helps.Ultimately, to have someone who has experience and years in the industry tell you how to tackle something is probably something that many entry-level people need. Thanks.